<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>ZAP 扫描报告</title>
<link
	href="2024-11-24-ZAP-Report-/normalize/normalize.css" rel="stylesheet">
<link
	href="2024-11-24-ZAP-Report-/themes/original/main.css" rel="stylesheet">
<link
	href="2024-11-24-ZAP-Report-/themes/original/colors.css" rel="stylesheet">
</head>
<body>
	<header>
		<h1>ZAP 扫描报告</h1>
		<p>
			<span>Generated with</span> <a href="https://zaproxy.org"><img
				src="2024-11-24-ZAP-Report-/zap32x32.png" alt="The ZAP logo" class="zap-logo">ZAP</a>
			<span>on 周日 24 11月 2024, at 13:59:23</span>
		</p>
		<p>ZAP 版本：2.15.0</p>
		<p>
			ZAP is supported by the <a href="https://crashoverride.com/?zap=rep">Crash Override Open Source Fellowship</a>
		</p>
	</header>

	<main>

		<section id="contents" class="contents">
			<h2>Contents</h2>
			<nav>
				<ol>
					<li><a
						href="#about-this-report">About this report</a>
						<ol>
							
							<li><a
								href="#report-parameters">Report parameters</a></li>
						</ol></li>
					<data-th-block>
					<li><a
						href="#summaries">Summaries</a>
						<ol>
							<li><a
								href="#risk-confidence-counts">Alert counts by risk and confidence</a></li>
							<li><a
								href="#site-risk-counts">Alert counts by site and risk</a></li>
							<li><a
								href="#alert-type-counts">Alert counts by alert type</a></li>
						</ol></li>
					<li><a
						href="#alerts">Alerts</a>
						<ol>
							
							
							
							
							
							
							
							
							
							<li><a
								href="#alerts--risk-3-confidence-1"><span>Risk</span>=<span
									class="risk-level">高</span>, <span>Confidence</span>=<span
									class="confidence-level">低</span> <span>(1)</span></a></li>
							  
							
							
							
							
							<li><a
								href="#alerts--risk-2-confidence-3"><span>Risk</span>=<span
									class="risk-level">中</span>, <span>Confidence</span>=<span
									class="confidence-level">高</span> <span>(1)</span></a></li>
							
							<li><a
								href="#alerts--risk-2-confidence-2"><span>Risk</span>=<span
									class="risk-level">中</span>, <span>Confidence</span>=<span
									class="confidence-level">中</span> <span>(2)</span></a></li>
							
							
							  
							
							
							
							
							
							
							<li><a
								href="#alerts--risk-1-confidence-2"><span>Risk</span>=<span
									class="risk-level">低</span>, <span>Confidence</span>=<span
									class="confidence-level">中</span> <span>(1)</span></a></li>
							
							
							  
							
							
							
							
							
							
							<li><a
								href="#alerts--risk-0-confidence-2"><span>Risk</span>=<span
									class="risk-level">信息提示</span>, <span>Confidence</span>=<span
									class="confidence-level">中</span> <span>(1)</span></a></li>
							
							<li><a
								href="#alerts--risk-0-confidence-1"><span>Risk</span>=<span
									class="risk-level">信息提示</span>, <span>Confidence</span>=<span
									class="confidence-level">低</span> <span>(1)</span></a></li>
							  
						</ol></li>
					<li><a
						href="#appendix">Appendix</a>
						<ol>
							<li><a
								href="#alert-types">Alert types</a></li>
						</ol></li>
					</data-th-block>
				</ol>
			</nav>
		</section>

		<section
			id="about-this-report" class="about-this-report">
			<h2>About this report</h2>

			

			<section
				id="report-parameters">
				<h3>Report parameters</h3>
				<div class="report-parameters--container">
					<h4>Contexts</h4>
					
					
					<p>No contexts were selected, so all contexts were included by default.</p>
					  

					<h4>Sites</h4>
					
					<p>The following sites were included:</p>
					<ul class="sites-list">
						<li><span class="site">http://localhost:4000</span></li>
					</ul>
					
					<p>(If no sites were selected, all sites were included by default.)</p>
					<p>An included site must also be within one of the included contexts for its data to be included in the report.</p>

					<h4>Risk levels</h4>
					<p>
						<span>Included</span>:
						 
						<span class="included-risk-codes"><span class="risk-level">高</span>, <span class="risk-level">中</span>, <span class="risk-level">低</span>, <span class="risk-level">信息提示</span></span>
					</p>
					<p>
						<span>Excluded</span>:
						 <span>None</span>
						
					</p>

					<h4>Confidence levels</h4>
					<p>
						<span>Included</span>:
						
						
						<span class="included-confidence-codes"><span class="confidence-level">用户已确认</span>, <span class="confidence-level">高</span>, <span class="confidence-level">中</span>, <span class="confidence-level">低</span></span>
					</p>
					<p>
						<span>Excluded</span>:
						
						
						<span class="included-confidence-codes"> <span class="confidence-level">用户已确认</span>, <span class="confidence-level">高</span>, <span class="confidence-level">中</span>, <span class="confidence-level">低</span>, <span class="confidence-level">误报</span></span>
					</p>
				</div>
			</section>
		</section>

		
		<section>
			
		</section>
		
		<section id="summaries" class="summaries">
			<h2>Summaries</h2>

			<section
				id="risk-confidence-counts">
				<h3>Alert counts by risk and confidence</h3>
				<table class="risk-confidence-counts-table">
					<caption>
						<p>This table shows the number of alerts for each level of risk and confidence included in the report.</p>
						<p>(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)</p>
					</caption>
					<colgroup>
						<col>
						<col>
					</colgroup>
					<colgroup>
						<col
							style="width: 14.0%"><col
							style="width: 14.0%"><col
							style="width: 14.0%"><col
							style="width: 14.0%">
						<col style="width: 14.0%">
					</colgroup>
					<thead>
						<tr>
							<td colspan="2" rowspan="2"></td>
							<th scope="colgroup"
								colspan="5">Confidence</th>
						</tr>
						<tr>
							<th scope="col">用户已确认</th>
							<th scope="col">高</th>
							<th scope="col">中</th>
							<th scope="col">低</th>
							<th scope="col">Total</th>
						</tr>
					</thead>
					<tbody>
						<tr>
							<th scope="rowgroup"
								rowspan="5">Risk</th>
							<th scope="row">高</th>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>1</span><br> <span class="additional-info-percentages">(14.3%)</span></td>
						</tr>
						<tr>
							
							<th scope="row">中</th>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>2</span><br> <span
								class="additional-info-percentages">(28.6%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>3</span><br> <span class="additional-info-percentages">(42.9%)</span></td>
						</tr>
						<tr>
							
							<th scope="row">低</th>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span class="additional-info-percentages">(14.3%)</span></td>
						</tr>
						<tr>
							
							<th scope="row">信息提示</th>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>2</span><br> <span class="additional-info-percentages">(28.6%)</span></td>
						</tr>
						<tr>
							<th scope="row">Total</th>
							<td><span>0</span><br> <span
								class="additional-info-percentages">(0.0%)</span></td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
							<td><span>4</span><br> <span
								class="additional-info-percentages">(57.1%)</span></td>
							<td><span>2</span><br> <span
								class="additional-info-percentages">(28.6%)</span></td>
							<td><span>7</span><br> <span
								class="additional-info-percentages">(100%)</span></td>
						</tr>
					</tbody>
				</table>
			</section>

			<section
				id="site-risk-counts">
				<h3>Alert counts by site and risk</h3>
				<table class="site-risk-counts-table">
					<caption>
						<p>This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.</p>
						<p>Alerts with a confidence level of &quot;False Positive&quot; have been excluded from these counts.</p>
						<p>(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)</p>
					</caption>
					<colgroup>
						<col>
						<col>
					</colgroup>
					<colgroup>
						<col
							style="width: 16.25%"><col
							style="width: 16.25%"><col
							style="width: 16.25%"><col
							style="width: 16.25%">
					</colgroup>
					<thead>
						<tr>
							<td colspan="2" rowspan="2"></td>
							<th scope="colgroup" colspan="4">Risk</th>
						</tr>
						<tr>
							<th scope="col">
								<span>高</span><br>  <span
									class="additional-info-percentages">(= 高)</span>  
							</th>
							<th scope="col">
								<span>中</span><br>   <span
									class="additional-info-percentages">(&gt;= 中)</span> 
							</th>
							<th scope="col">
								<span>低</span><br>   <span
									class="additional-info-percentages">(&gt;= 低)</span> 
							</th>
							<th scope="col">
								<span>信息提示</span><br>   <span
									class="additional-info-percentages">(&gt;= 信息提示)</span> 
							</th>
						</tr>
					</thead>
					<tbody>
						
					</tbody>
				</table>
			</section>

			<section
				id="alert-type-counts">
				<h3>Alert counts by alert type</h3>
				<table class="alert-type-counts-table">
					<caption>
						<p>This table shows the number of alerts of each alert type, together with the alert type&#39;s risk level.</p>
						<p>(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)</p>
					</caption>
					<thead>
						<tr>
							<th scope="col">Alert type</th>
							<th scope="col">Risk</th>
							<th scope="col">Count</th>
						</tr>
					</thead>
					<tbody>
						<tr>
							<th scope="row"><a
								href="#alert-type-0">云元数据（Cloud Metadata ）可能已暴露</a></th>
							<td class="risk-level">高</td>
							<td><span>1</span><br> <span
								class="additional-info-percentages">(14.3%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-1">Content Security Policy (CSP) Header Not Set</a></th>
							<td class="risk-level">中</td>
							<td><span>6</span><br> <span
								class="additional-info-percentages">(85.7%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-2">Missing Anti-clickjacking Header</a></th>
							<td class="risk-level">中</td>
							<td><span>6</span><br> <span
								class="additional-info-percentages">(85.7%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-3">跨域配置错误</a></th>
							<td class="risk-level">中</td>
							<td><span>9</span><br> <span
								class="additional-info-percentages">(128.6%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-4">X-Content-Type-Options Header Missing</a></th>
							<td class="risk-level">低</td>
							<td><span>9</span><br> <span
								class="additional-info-percentages">(128.6%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-5">Information Disclosure - Suspicious Comments</a></th>
							<td class="risk-level">信息提示</td>
							<td><span>4</span><br> <span
								class="additional-info-percentages">(57.1%)</span></td>
						</tr>
						<tr>
							<th scope="row"><a
								href="#alert-type-6">现代 Web 应用程序</a></th>
							<td class="risk-level">信息提示</td>
							<td><span>6</span><br> <span
								class="additional-info-percentages">(85.7%)</span></td>
						</tr>
					</tbody>
					<tfoot>
						<tr>
							<th scope="row">Total</th>
							<td></td>
							<td>7</td>
						</tr>
					</tfoot>
				</table>
			</section>
		</section>

		<section id="alerts" class="alerts">
			<h2>Alerts</h2>
			<ol>
				
				 
				
				
				
				
				
				
				<li id="alerts--risk-3-confidence-1">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">高</span>, <span>Confidence</span>=<span
							class="confidence-level">低</span> <span>(1)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				  
				 
				
				
				<li id="alerts--risk-2-confidence-3">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">中</span>, <span>Confidence</span>=<span
							class="confidence-level">高</span> <span>(1)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				
				<li id="alerts--risk-2-confidence-2">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">中</span>, <span>Confidence</span>=<span
							class="confidence-level">中</span> <span>(2)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				
				
				  
				 
				
				
				
				
				<li id="alerts--risk-1-confidence-2">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">低</span>, <span>Confidence</span>=<span
							class="confidence-level">中</span> <span>(1)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				
				
				  
				 
				
				
				
				
				<li id="alerts--risk-0-confidence-2">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">信息提示</span>, <span>Confidence</span>=<span
							class="confidence-level">中</span> <span>(1)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				
				<li id="alerts--risk-0-confidence-1">
					<h3>
						<span>Risk</span>=<span
							class="risk-level">信息提示</span>, <span>Confidence</span>=<span
							class="confidence-level">低</span> <span>(1)</span>
					</h3>
					<ol>
						
					</ol>
				</li>
				  
			</ol>
		</section>

		<section id="appendix" class="appendix">
			<h2>Appendix</h2>

			<section id="alert-types" class="alert-types">
				<h3>Alert types</h3>
				<p class="alert-types-intro">This section contains additional information on the types of alerts in the report.</p>
				<ol>
					<li
						id="alert-type-0">
						<h4>云元数据（Cloud Metadata ）可能已暴露</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by an active scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/90034/">云元数据（Cloud Metadata ）可能已暴露</a>)
									</span>   
								</td>
							</tr>
							
							
							<tr>
								<th scope="row">Reference</th>
								<td>
									<ol>
										<li><a
											href="https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/">https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/</a></li>
									</ol>
								</td>
							</tr>
						</table>
					</li>
					<li
						id="alert-type-1">
						<h4>Content Security Policy (CSP) Header Not Set</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10038/">Content Security Policy (CSP) Header Not Set</a>)
									</span>   
								</td>
							</tr>
							<tr>
								<th scope="row">CWE ID</th>
								<td><a
									href="https://cwe.mitre.org/data/definitions/693.html">693</a></td>
							</tr>
							<tr>
								<th scope="row">WASC ID</th>
								<td>15</td>
							</tr>
							<tr>
								<th scope="row">Reference</th>
								<td>
									<ol>
										<li><a
											href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy">https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</a></li>
										<li><a
											href="https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</a></li>
										<li><a
											href="https://www.w3.org/TR/CSP/">https://www.w3.org/TR/CSP/</a></li>
										<li><a
											href="https://w3c.github.io/webappsec-csp/">https://w3c.github.io/webappsec-csp/</a></li>
										<li><a
											href="https://web.dev/articles/csp">https://web.dev/articles/csp</a></li>
										<li><a
											href="https://caniuse.com/#feat=contentsecuritypolicy">https://caniuse.com/#feat=contentsecuritypolicy</a></li>
										<li><a
											href="https://content-security-policy.com/">https://content-security-policy.com/</a></li>
									</ol>
								</td>
							</tr>
						</table>
					</li>
					<li
						id="alert-type-2">
						<h4>Missing Anti-clickjacking Header</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10020/">Anti-clickjacking Header</a>)
									</span>   
								</td>
							</tr>
							<tr>
								<th scope="row">CWE ID</th>
								<td><a
									href="https://cwe.mitre.org/data/definitions/1021.html">1021</a></td>
							</tr>
							<tr>
								<th scope="row">WASC ID</th>
								<td>15</td>
							</tr>
							<tr>
								<th scope="row">Reference</th>
								<td>
									<ol>
										<li><a
											href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</a></li>
									</ol>
								</td>
							</tr>
						</table>
					</li>
					<li
						id="alert-type-3">
						<h4>跨域配置错误</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10098/">跨域配置错误</a>)
									</span>   
								</td>
							</tr>
							<tr>
								<th scope="row">CWE ID</th>
								<td><a
									href="https://cwe.mitre.org/data/definitions/264.html">264</a></td>
							</tr>
							<tr>
								<th scope="row">WASC ID</th>
								<td>14</td>
							</tr>
							<tr>
								<th scope="row">Reference</th>
								<td>
									<ol>
										<li><a
											href="https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy">https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy</a></li>
									</ol>
								</td>
							</tr>
						</table>
					</li>
					<li
						id="alert-type-4">
						<h4>X-Content-Type-Options Header Missing</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10021/">X-Content-Type-Options Header Missing</a>)
									</span>   
								</td>
							</tr>
							<tr>
								<th scope="row">CWE ID</th>
								<td><a
									href="https://cwe.mitre.org/data/definitions/693.html">693</a></td>
							</tr>
							<tr>
								<th scope="row">WASC ID</th>
								<td>15</td>
							</tr>
							<tr>
								<th scope="row">Reference</th>
								<td>
									<ol>
										<li><a
											href="https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)">https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)</a></li>
										<li><a
											href="https://owasp.org/www-community/Security_Headers">https://owasp.org/www-community/Security_Headers</a></li>
									</ol>
								</td>
							</tr>
						</table>
					</li>
					<li
						id="alert-type-5">
						<h4>Information Disclosure - Suspicious Comments</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10027/">Information Disclosure - Suspicious Comments</a>)
									</span>   
								</td>
							</tr>
							<tr>
								<th scope="row">CWE ID</th>
								<td><a
									href="https://cwe.mitre.org/data/definitions/200.html">200</a></td>
							</tr>
							<tr>
								<th scope="row">WASC ID</th>
								<td>13</td>
							</tr>
							
						</table>
					</li>
					<li
						id="alert-type-6">
						<h4>现代 Web 应用程序</h4>
						<table class="alert-types-table">
							<tr>
								<th scope="row">Source</th>
								<td>
									
									   <span>raised by a passive scanner</span> <span>(<a
										href="https://www.zaproxy.org/docs/alerts/10109/">现代 Web 应用程序</a>)
									</span>   
								</td>
							</tr>
							
							
							
						</table>
					</li>
				</ol>
			</section>
		</section>
		 
	</main>
</body>
</html>



